Basic Network Security_Primer

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
Network Security
Primer
Authentication and Encryption Techniques
Akshat Sharma,
Cisco Systems

Core
Distribution
Catalyst
3750 Catalyst
3750
Catalyst
3750
Video-
Conferencing
Units
Server farms
C2960s
C2960s
C2960s
C2960s
C4500

Web
Auth
VLANs
802.1X ACLs
SGTs
MAB

• Defined by IEEE and designed to provide port-based
network access.
• 802.1x authenticates network clients using
information unique to the client and with credentials
known only to the client.
•Service known as port-level authentication

Username / Password
Directory
alice
c1sC0L1v
Certificate
Authority
Token
Server
Deployment Best Practices
Re-use Existing Credentials
Understand the Limitations of Existing Systems
Common Types
Passwords
Certificates
Tokens
Deciding Factors
Security Policy
Validation
Distribution & Maintenance

• The framework is defined by three authentication
processes:
1. The supplicant
Possibly a standalone device or an end user, such as a
remote user.
2. The authenticator
A device to which the supplicant directly connects and
through which the supplicant obtains network access
permission
3. The authentication server
The authenticator acts as a gateway to the authentication
server, which is responsible for actually authenticating the
supplicant.

Authenticator
(e.g. Switch, Access
Point, PAE)
Supplicant
(Client)
Enterprise NetworkSemi-Public Network /
Enterprise Edge
AuthenticationServer
(Radius Server/LDAP or
Kerberos)
R
A
D
I
U
S
NAS

• EAP
Extensible Authentication Protocol
A flexible protocol used to carry arbitrary authentication information
Typically rides on top of another protocol such as 802.1x (EAPoL) or
RADIUS/TACACS+, etc.
• EAP Messages
Request
Sent to supplicant to indicate a challenge
Response
Supplicant reply message
Success
Notification to supplicant of success
Failure
Notification to supplicant of failure

EthernetLaptop computer
802.1X Authenticator/Bridge
Radius Server
EAPOL-Start
EAP-Request/Identity
EAP-Response/Identity
EAP-Request
Radius-Access-Request
Radius-Access-Challenge
EAP-Response (cred) Radius-Access-Request
EAP-Success
Access blocked
Port connect
Radius-Access-Accept
Access allowed
RADIUSEAPOL

• MAB stands for MAC Authentication Bypass.
• It enables port-based access control using the MAC address of
the endpoint.
• A MAB-enabled port can be dynamically enabled or disabled
based on the MAC address of the device that connects to it.

• WebAuth is a Layer 3 authentication method.
• After IEEE 802.1X (or MAB) has timed out or failed, the port is
opened long enough to allow the packets required for WebAuth.
• After the port has been opened, the switch enforces a preconfigured
ACL in some VLAN
• At a minimum, the preconfigured ACL should allow the traffic required
to complete the WebAuth process. In most cases, the ACL should at
least allow DHCP (so the client can acquire an address) and DNS (so
the client can trigger WebAuth when using fully qualified domain
names in URLs).

802.1Q Trunk
EAP Authentication
AAA
Corporate
Resources
Internet
Employee
Guest User
802.1X fails
MAB : “Printer”
Employee Vlan
Web-Auth
802.1X fails
MAB fails
Guest Vlan

• Brute Force considerations : 128 to 256 bit keys
• Landauer’s Limit  kT ln 2 (10^18 Joules for 128 bits)
• Available Wireless Encryption Techniques:
WEP (outdated)
WPA + TKIP (most compatible, less secure)
WPA2+AES (Most secure)
• DO NOT use WEP!
• PKI infrastructure for strong Authentication and encryption  WPA2-AES
+ PKI based 802.1x

• Basically a pseudo random number generator that encrypts data
packets.
• Start with generic 802.11 packet
• Use a secret key plus IV to seed RC4 stream cipher to create
pseudo random number
• Create a CRC-32 of data portion of packet which is then called ICV.
• Data || ICV XOR Pseudo Random Number = Encrypted portion of
WEP Packet

Frame Header Frame Body FCS
Secret Key
(40Bits)
RC4 Algorithm
IV
(24bits)
Generic 802.11 Packet Frame
Shared before communication
begins
Created by
Sending Device
Integrity Check
Algorithm
Frame Body ICV
Frame Header IV Frame Body ICV FCS WEP Packet Frame
Encrypted

• Key Generation
• ICV Generation
• Weak Key’s and Weak IV’s
• WEP Attacks

• The main problem of WEP is Key Generation.
• Secret Key is too small, only 40 Bits.
Very susceptible to brute force attacks.
• IV is too small.
Only 16 Million different possibilities for every packet.
• Secret Keys are accessible to user, therefore not secret.
• Key distribution is done manually.

• The ICV is generated from a cyclic redundancy check (CRC-32)
Only a simple arithmetic computation. Can be done easily
by anyone.
Not cryptographically secure.
• Easy for attacker to change packet and then change ICV to get
response from AP.

• Certain keys are more susceptible to showing the relationship between
plaintext and ciphertext.
There are approx 9000 weak keys out of the 40 bit WEP
secret key.
• Weak IV will correspond to weak Keys.

• Replay
Statistical gathering of certain ciphertext that once sent to server will cause
wanted reaction.
• 802.11 LLC Encapsulation
Predictable headers to find ciphertext, plaintext combinations
• Denial of Service Attacks
Flooding the 2.4Ghz frequency with noise.

• 802.1x
• WPA
• 802.11i
• All much more secure.

Encryption
“The quick
brown fox
jumps over
the lazy
dog”
“AxCv;5bmEseTfid3)
fGsmWe#4^,sdgfMwi
r3:dkJeTsY8Rs@!q3
%”
“The quick
brown fox
jumps over
the lazy
dog”
Decryption
Plain-text input
Plain-text outputCipher-text
Same key
(shared secret)

• Strength:
Simple and really very fast (order of 1000 to 10000 faster than asymmetric
mechanisms)
Super-fast (and somewhat more secure) if done in hardware (DES, Rijndael)
• Weakness:
Must agree the key beforehand
Securely pass the key to the other party

• Knowledge of the encryption key doesn’t give you knowledge of the
decryption key
• Receiver of information generates a pair of keys
Publish the public key in a directory
• Then anyone can send him messages that only she can read

Encryption
“The quick
brown fox
jumps over
the lazy dog”
“Py75c%bn&*)9|fDe^bD
Faq#xzjFr@g5=&nmdFg
$5knvMd’rkvegMs”
“The quick
brown fox
jumps over
the lazy dog”
Decryption
Clear-text Input Clear-text OutputCipher-text
Different keys
Recipient’s
public key
Recipient’s
private key
privatepublic

• Weakness:
Extremely slow
Susceptible to “known ciphertext” attack
Problem of trusting public key (see later on PKI)
• Strength
Solves problem of passing the key
Allows establishment of trust context between parties

As above, repeated
for other recipients
or recovery agents
Digital
Envelope
Other recipient’s or
agent’s public key
(in certificate)
in recovery policy
Launch key
for nuclear
missile
“RedHeat”
is...
Symmetric key
encrypted asymmetrically
(e.g., RSA)
Digital
Envelope
User’s
public key
(in certificate)
RNG
Randomly-
Generated symmetric
“session” key
Symmetric
encryption
(e.g. DES)
*#$fjda^j
u539!3t
t389E *&@
5e%32^kd

*#$fjda^j
u539!3t
t389E *&@
5e%32^kd
Launch key
for nuclear
missile
“RedHeat”
is...
Symmetric
decryption
(e.g. DES)
Digital
Envelope
Asymmetric
decryption of
“session” key (e.g. RSA)
Symmetric
“session” key
Session key must be
decrypted using the
recipient’s private key
Digital envelope
contains “session” key
encrypted using
recipient’s public key
Recipient’s
private key

• We just solved the problem of symmetric key distribution by using
public/private keys
• But…
• Scott creates a keypair (private/public) and quickly tells the world
that the public key he published belongs to Bill
• People send confidential stuff to Bill
• Bill does not have the private key to read them…
• Scott reads Bill’s messages 
• Solution ? – Remember Digital Signatures ?

Hash
Function
(SHA, MD5)
Jrf843kjfgf*
£$&Hdif*7o
Usd*&@:<C
HDFHSD(**
Py75c%bn&*)9|fDe^b
DFaq#xzjFr@g5=&n
mdFg$5knvMd’rkveg
Ms”
This is a
really long
message
about
Bill’s…
Asymmetric
Encryption
Message or File Digital Signature128 bits Message
Digest
Calculate a short
message digest from
even a long input using a
one-way message digest
function (hash)
Signatory’s
private key
private

Jrf843kjf
gf*£$&Hd
if*7oUsd
*&@:<CHD
FHSD(**
Py75c%bn&*)
9|fDe^bDFaq
#xzjFr@g5=
&nmdFg$5kn
vMd’rkvegMs”
Asymmetric
decryption
(e.g. RSA)
Everyone has access
to trusted public key of
the signatory
Signatory’s
public key
Digital Signature
This is a
really long
message
about Bill’s…
Same hash function
(e.g. MD5, SHA…)
Original Message
Py75c%bn&*)
9|fDe^bDFaq
#xzjFr@g5=
&nmdFg$5kn
vMd’rkvegMs”
? == ?
Are They Same?

• Message is captured.
• Hash value of the message is calculated.
• Sender's private key is retrieved from the sender's digital certificate.
• Hash value is encrypted with the sender's private key.
• Encrypted hash value is appended to the message as a digital signature.
• Message is sent.

• Sender's public key is retrieved from the sender's digital certificate
• Encrypted hash value is decrypted with the sender's public key.
• Decrypted hash value is compared against the hash value produced on receipt.
• If the values match, the message is valid.
• Message is received.
• Digital signature containing
encrypted hash value is retrieved
from the message.
• Message is retrieved.
• Hash value of the message is
calculated.

Basic Network Security_Primer

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Basic Network Security_Primer (20)

More from n|u - The Open Security Community (20)

Recently uploaded (20)

Basic Network Security_Primer